The Internal Revenue Service earlier this month warned company payroll departments about the "CEO scam," a technique used by online criminals to obtain personal data from employees.

The Amalgamated Sugar Company earlier this month alerted employees of an online breach that affected more than 2,858 people. The Nampa, Idaho-based business told workers “a data breach that has resulted in the disclosure of employee personal information to an unauthorized person outside of the business.”

Advertisement

The breach compromised the data of Amalgamated Sugar's current employees at all of its facilities, as well as anyone who worked at the company in 2016.

The hack took place through a phishing attack, where cybercriminals pose as CEOs and send fraudulent emails to employees or payroll departments asking for copies of W-2 forms. An Amalgamated Sugar employee fell for the scam and handed over copies of workers' tax info to the deceptive third party.

How does it work?

Cyber thieves send fake emails that appear to be from an organization's chief executive officer to human resource or payroll departments. The emails request employee information such as W-2 forms, federal tax documents that include a person's social security number, address and financial data.

That means your personal or financial info could be handed over to third-party crooks without your knowledge.

"What we are seeing is the continual evolution of scams," Kevin Haley, director of Symantec Security Response, told us Thursday. "If something works, why not find more ways to use it? So, the business email compromise scam has become a tax scam. The social engineering, the hook, the ways people get fooled are identical. Scammers have perfected this technique. They are now branching out to find other ways to use it."

Hackers are targeting school districts, restaurant chains, casinos, staffing agencies and nonprofit groups, according to the IRS.

The phishing scam isn't new. Last year, a Snapchat employee was duped by a fraudulent email that appeared to be from CEO Evan Spiegel. The social media company acknowledged that the data of some of its current and past employees was "disclosed externally."

"Attackers often prefer companies because they have more money and more data to steal than an individual," Haley explained. "Instead of having to phish and fool every employee, the attackers only have to fool one and they will get all the information."

Accounting departments are also receiving fake emails from company executives that request wire transfers for large amounts of cash. Unfortunately, some payroll employees have fallen victim to both scams, costing a company thousands of dollars and its employee data.

"This is where education is so important. We need to warn people about the technique, as much as the particulars of the scam," Haley said. "Best practices also need to be put into place to help people respond correctly to these techniques."

Before you hand over any personal data, check for the following red flags, Haley advised.

Do you know the sender?

Is there an attachment or link with a hard sell? Don’t download any attachments or click any links if you're not expecting the email.

If there’s a link, don’t click on it. Go directly to the company’s website (bank, etc.) to take any action, like changing your password.

Have good security software. It’s like having a security expert in a box. You need that help.